Update dependency org.keycloak:keycloak-parent to v26.5.7 - autoclosed #9
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "renovate/keycloak.version"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This PR contains the following updates:
26.4.2→26.5.7Release Notes
keycloak/keycloak (org.keycloak:keycloak-parent)
v26.5.7Compare Source
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Security fixes
admin/apiaccount/apiEnhancements
dist/quarkusBugs
corev26.5.6Compare Source
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Security fixes
oidcoidccoreuser-profileorganizationsBugs
storageauthenticationadmin/apioidcoperatorldapcoredocsinfinispantoken-exchangeorganizationsv26.5.5Compare Source
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Security fixes
v26.5.4Compare Source
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Security fixes
samlsamlEnhancements
Bugs
oidcstoragesamloidcorganizationsoperatorinfinispaninfinispandocsadapter/javascriptinfinispanoidcciv26.5.3Compare Source
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Security fixes
Enhancements
operatorBugs
admin/client-jsdist/quarkusdist/quarkusdist/quarkustestsuitecidocsv26.5.2Compare Source
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Security fixes
dependenciesEnhancements
dist/quarkusBugs
user-profileinfinispanoidcadmin/uicoreinfinispanuser-profiledocsorganizationsdist/quarkusoidctoken-exchangeorganizationsv26.5.1Compare Source
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
Bugs
test-frameworkadmin/fine-grained-permissionsorganizationsadmin/uiadmin/uiauthenticationadmin/uistorageadmin/uidocssamlorganizationsadmin/client-javalogin/uiv26.5.0Compare Source
Highlights
This release features new capabilities for users and administrators of Keycloak. The highlights of this release are:
Workflows to automate administrative tasks and process within a realm.
JWT Authorization Grants, our recommended alternative to external to internal token exchange.
Guide for using Keycloak as an authorization server for Model Context Protocol (MCP) servers.
Authenticating clients with Kubernetes service account tokens to avoid static client secrets.
OpenTelemetry support for metrics and logging, combining all observability information in this popular standard.
Read on to learn more about each new feature. If you are upgrading from a previous release, review also the changes listed in the upgrading guide.
Security and Standards
JWT Authorization Grant (preview)
Keycloak 26.5 introduces a new feature called JWT Authorization Grant, which adds support for RFC 7523 to use external signed JWT assertions to request OAuth 2.0 access tokens.
To accept signed JWT assertions, a trust relationship must be established between the external provider and Keycloak. This trust relationship can be configured through an identity provider in a dedicated section of the OpenID Connect v1.0 identity provider, or through the new JWT Authorization Grant identity provider.
JWT Authorization Grant is recommended as an alternative to External to internal token exchange V1. This feature is in preview, and additional details are available in the dedicated documentation.
Using Keycloak as an authorization server for Model Context Protocol (MCP) servers
Using Keycloak as an authorization server for Model Context Protocol (MCP) servers is becoming popular, so this release ships additional documentation on how to do this.
See Integrating with Model Context Protocol (MCP) for the new guide.
Many thanks to Takashi Norimatsu for the contribution.
CORS enhancements
CORS (Cross Origin Resource Sharing) is a browser security feature that controls how web pages on one domain can request resources from a different domain.
For the OpenID Connect Dynamic Client Registration, you can now specify which CORS headers are allowed via the client registration access policies.
For the overall CORS configuration, you can now allow environment specific headers to be allowed using the SPI option
spi-cors--default--allowed-headers.Logout confirmation page
The client logout configuration now includes an option to show a logout confirmation page. When enabled, users will see a “You are logged out” confirmation page upon successful logout.
Many thanks to Sebastian Łaskawiec for the contribution.
Hiding OpenID Connect scopes from the discovery endpoint
Previously, all scopes of an OpenID Connect client were advertised in the discovery endpoint.
In some situation you might want to avoid it, as the calling client, for example, an MCP server might not support it, or you might want to hide some scopes for preventing their discovery via public APIs.
You can now prevent this by disabling Include in OpenID Provider Metadata.
Administration
Workflows (preview)
Keycloak introduces a new preview feature called Workflows, which allows administrators to automate administrative tasks and process within a realm, introducing a key capability for Identity Governance and Administration (IGA).
For more details, see the Server Administration Guide.
Federated client authentication (preview)
Federated client authentication remains preview due to receiving a number of enhancements and fixes.
There is now preview support to use Kubernetes service accounts tokens as credentials for clients, which avoids static secrets for OpenID Connect clients.
See Kubernetes identity providers in the Server Administration Guide for details.
Organization invitation management
Organization administrators can now manage organization invitations through both the Admin Console and REST API:
View all sent invitations with their current status (Pending, Expired)
Resend pending invitations to recipients
Delete invitation records from the system
Filter invitations by status for easier management
All invitations are now persistently stored in the database, providing better tracking and management capabilities.
The invitation management features are available in the Invitations tab when managing an organization in the Admin Console, and through the Organizations REST API endpoints under
/admin/realms/{realm}/orgs/{orgId}/invitations.New event
USER_SESSION_DELETEDFor each expired user session there is a new user event
USER_SESSION_DELETEDfired. This event is published approximately 3-10 minutes after the session has expired depending on job scheduling and load on the system. By default, this event is not persisted.Configuring and Running
Containers for PowerPC 64-bit Little Endian architecture
The containers for both the Keycloak and its operator are not available as well for the PowerPC 64-bit Little Endian (ppc64le) architecture. This is in addition to the existing amd64 and arm64.
We expect this to allow users to optimize their usage of open hardware and power consumption.
Improved server response times
Authentication, user, and client sessions are now created on the respective Keycloak node and avoid extra remote calls to neighbors when reading or writing them to the embedded caches. When you have sticky sessions enabled in your loadbalancer, you will benefit from this feature automatically, and you should see reduced response times when authenticating users.
Expired user sessions are now deleted from the database in small batches, instead of issuing a delete statements that affects the whole table. This should allow for better response times when there are a lot of sessions in the table.
Enhanced HTTP performance (preview)
You can now enable a more efficient way to handle JSON data in the HTTP layer. This change increases throughput by ~5%, stabilizes response times, and reduces system resource usage.
In order to apply it, you need to explicitly enable the feature
http-optimized-serializers.For more details, see the Configuring Keycloak for production guide.
Configure retry behavior for outgoing HTTP requests
Keycloak has now more flexibility how to configure retrying of outgoing HTTP requests. This is useful for handling transient network errors or temporary unavailability of the service where Keycloak needs to send HTTP request. Retry behavior is disabled by default and must be explicitly enabled. More details are available in the Outgoing HTTP requests documentation.
Many thanks to Chance Coleman for the contribution.
Enable/disable features via a single option
You can now enable or disable individual features using the
feature-<name>option (likefeature-spiffe=enabled).This provides a more fine-grained way to manage features and eliminates the need to maintain long lists of enabled or disabled features.
The
feature-<name>option takes precedence over bothfeaturesandfeatures-disabled.For more details, see the Enabling and disabling features guide.
Client certificate lookup compliant with RFC 9440
You can now use a new client certificate lookup provider that is compliant with RFC 9440. This enables native support e.g. for Caddy and other reverse proxies that follow the RFC. For details, navigate to Enabling Client Certificate Lookup section of the documentation.
Running Keycloak as a Windows service
Keycloak can now be installed and run as a Windows service using Apache Commons Daemon (Procrun). The new
tools windows-serviceCLI subcommand simplifies service installation and uninstallation.The service runs
kc.bat startas an external process, ensuring all environment variables and configuration files are respected. This provides seamless integration with the Windows Services management console and enables automatic startup on system boot without requiring a user to be logged on.For more information, see the Running Keycloak as a Windows Service guide.
Observability
OpenTelemetry enhancements
OpenTelemetry Logs (preview)
Keycloak now supports exporting logs to OpenTelemetry collectors, enabling centralized log management. This preview feature allows you to export Keycloak logs to any OpenTelemetry-compatible backend and use the same OpenTelemetry collector for logs, metrics and traces.
For more details, see the Centralize your observability stack with OpenTelemetry guide.
OpenTelemetry Metrics (experimental)
Keycloak now provides the experimental support for exporting metrics to OpenTelemetry collectors by using the Micrometer-to-OpenTelemetry bridge. This experimental feature allows you to export Keycloak metrics to any OpenTelemetry-compatible backend and use the same OpenTelemetry collector for logs, metrics and traces.
For more details, see the Centralize your observability stack with OpenTelemetry guide.
Export traces with custom request headers
It is now possible to set request headers for exporting traces via OpenTelemetry Protocol (OTLP). It is mainly useful for providing tokens in the request.
You can specify these headers via the
tracing-header-<header>wildcard option, accepting any custom header name.For more details, see the Root cause analysis with tracing guide.
MDC Logging feature (supported)
The
log-mdc:v1feature has been promoted from a preview feature to a supported feature.MDC enables Keycloak to enrich log entries with contextual information such as realm, client, user ID and IP address, significantly improving debugging and observability.
For more details, see the Adding context for log messages guide.
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Deprecated features
admin/fine-grained-permissionsRemoved features
New features
coreobservabilitydist/quarkustest-frameworkEnhancements
corecoreadmin/fine-grained-permissionsadmin/uiinfinispanoperatordocsobservabilityauthenticationobservabilityobservabilitycoreadmin/client-jsworkflowscoreorganizationsdocsworkflowsdist/quarkususer-profiledocsobservabilityworkflowsdocsoid4vcuser-profileadmin/uiadmin/apiworkflowsworkflowsworkflowsworkflowsdist/quarkusdist/quarkusworkflowsworkflowsadmin/uiworkflowsworkflowsoid4vcworkflowstoken-exchange/standardobservabilityworkflowsworkflowslogin/uiworkflowsoid4vcworkflowsworkflowsoid4vcworkflowseventseventsworkflowsdocsBugs
ciauthenticationcidist/quarkustest-frameworktest-frameworktestsuiteadmin/fine-grained-permissionsauthorization-servicestestsuiteadmin/fine-grained-permissionstranslationsadmin/uiadmin/uiauthenticationcoretestsuiteadmin/apicorecoreadmin/uitoken-exchangeoidcciadmin/uitestsuitetestsuiteimport-exportauthorization-servicestestsuitedist/quarkusadmin/uiidentity-brokeringoidccoreadmin/uiuser-profileadmin/uidocsdocstranslationslogin/uidocsdocsdist/quarkusinfinispandocsadmin/apidocsadmin/uidocsoidcadmin/uildapsamloidcoidcoidcdocssamlinfinispanauthenticationadmin/fine-grained-permissionsinfinispaninfinispancidist/quarkusdocsadmin/fine-grained-permissionscioidclogin/uicoreciadmin/clidocsoidccorecoreadmin/apiadmin/fine-grained-permissionsadmin/fine-grained-permissionsldapcildapadmin/uidist/quarkusidentity-brokeringciadmin/uiuser-profileldapauthentication/webauthncorelogin/uiadmin/apildapcicidist/quarkuscoredist/quarkusoperatoruser-profileimport-exportadmin/uioidcimport-exportoid4vcadmin/uidist/quarkusoidctestsuiteauthorization-servicesauthorization-servicescicoreadmin/uicilogin/uiuser-profiledist/quarkusadmin/uicoreorganizationsoid4vctestsuiteidentity-brokeringtest-frameworkauthentication/webauthncoreoperatordocsinfinispanidentity-brokeringinfinispandocsoid4vcoidctestsuiteadmin/client-jsadmin/uioperatorcoresamladmin/fine-grained-permissionsldaptranslationscoretranslationslogin/uiworkflowsworkflowsworkflowssamlsamloidccoreorganizationsadmin/apitranslationsldapldapinfinispanadmin/apisamlauthenticationoid4vcdocstestsuitetoken-exchangedist/quarkuslogin/uiauthentication/webauthnoid4vcoid4vcoid4vcoid4vcoid4vctestsuitetestsuiteoidctest-frameworkciadmin/uicitestsuitecoretranslationsdocsdocsorganizationscoreadmin/uiadmin/uiadmin/client-javaadmin/uiv26.4.7Compare Source
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
docsdist/quarkusBugs
samlcorev26.4.6Compare Source
Highlights
This release adds filtering of LDAP referrals by default. This change enhances security and aligns with best practices for LDAP configurations.
If you can not upgrade to this release yet, we recommend disabling LDAP referrals in all LDAP providers in all of your realms.
For detailed upgrade instructions, review the upgrading guide.
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Security fixes
Bugs
infinispanlogin/uiciadmin/uiidentity-brokeringdocsinfinispaninfinispanadmin/client-jscorev26.4.5Compare Source
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Bugs
cidocscoreuser-profileimport-exportauthorization-servicesuser-profiledist/quarkusadmin/uitestsuitev26.4.4Compare Source
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
admin/apiBugs
admin/uiadmin/uidocslogin/uidist/quarkusadmin/fine-grained-permissionsoidccoreadmin/apiadmin/fine-grained-permissionsadmin/fine-grained-permissionsldapidentity-brokeringauthentication/webauthncoreadmin/apidist/quarkuscoredist/quarkusoperatoruser-profileoidctestsuitev26.4.3Compare Source
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.
Update dependency org.keycloak:keycloak-parent to v26.5.7to Update dependency org.keycloak:keycloak-parent to v26.5.7 - autoclosedPull request closed